By Mark Fuentes, Senior CyberOps Consultant, Horangi Cyber Security
Cyber security is making its way to the forefront of every enterprise’s agenda. Even for organizations where cyber security is not a priority, cyber security is becoming an area of deep concern in boardrooms. As we delve deeper into the 21st century, enterprises that have been operating successfully for years and even decades with very little thought to digitization, let alone cyber security, are scrambling to address the challenges of a cyber space full of threats.
This danger is compounded by media reports of new high-profile cyber attacks almost every other week. According to industry reports, cyber attacks are becoming more frequent and have increased in scope.
So how do businesses react to this new challenge? They throw money at the problem.
In a 2017 report by Gartner, the firm forecasts that global spending on enterprise security will reach US$96.3 billion in 2018, an increase of 8% from 2017. In the mad dash to beef up enterprise security and protect their assets from cyber threats, many enterprises fall into some bad spending habits.
Fear of Loss
In the face of an immediate threat, the natural reaction is to strengthen defenses with all haste. This is exactly the approach that businesses are taking, and understandably so as they are most concerned with avoiding loss. Much of cyber security spending is framed within the scope of how much money the business would lose in the event of a potential cyber security attack. One of the most commonly-used practices for selling cyber security solutions is to make the fear real for the decision-maker. This fear-based approach helps sell solutions but leads to poor spending practices such as supplementing existing business systems with cyber security requirements, investing in focused, specialized solutions and spending budgets in a reactive, short sighted manner.
This approach, is the equivalent to treating each cyber security requirement that crops up as one tree in a vast forest of similar requirements. Businesses are dealing with each tree on its own, when they should consider the whole forest to navigate it properly.
As the old saying goes, “They can’t see the forest for the trees.”
The Cyber Security Transplant
Many of today’s businesses function on systems and processes that were created before rapid digitization and were designed without taking those implications into account.
The most common approach to addressing a businesses’ cyber security needs is to supplement their existing systems and processes with cyber security solutions. Since the transplant of added security functions and requirements surpasses the original design of many of these established processes, enterprises end up with unintended and less efficient results.
Doing One Thing Well
Businesses tend to review their cyber security needs on an ad-hoc basis. Do we need a firewall to lock down network activity and secure our people? What about a patch management solution? Is there a vendor that can performs these functions the best and at a reasonable price?
This kind of implementation is not uncommon. It makes sense, is straightforward and there are clear results. There’s no need to fix something that isn’t broken, right?
While it is easy to fall into the practice of addressing requirements as they arise, there are drawbacks. It’s difficult to gauge the effectiveness of these solutions based on the money spent.
Without an overarching strategy, spending occurs as need rises and does not take priorities into account. Additionally, there is a risk of deploying overly-complex systems. An enterprise that builds a cyber security program in this manner will eventually have disparate solutions. Any deficiencies in the system become difficult to diagnose as well.
The Knee-Jerk Response
In the two scenarios above, the spending is not only on point solutions, but also reactionary. This practice of reactionary spending is a short-sighted approach that lacks strategy and leads to difficulty in gauging cost-effectiveness of the solutions needed.
Enterprises need to deal with cyber security holistically, and not on an ad-hoc basis. Having a proper strategy in place means having the capability to deal with challenges as they crop up.
Cyber Security is Everything
The challenge in building an effective cyber security program is relatively new. Enterprises recognize the need for it but approach cyber security as a new business component to be added to existing business processes. This should not be the case. Cyber security changes the way business is done and affects all business processes. Cyber security is everything.
Businesses that hope to implement highly-effective cyber security strategies need to take a step back and consider their organization as a whole and how cyber security affects every part of it.
The foundation of a cyber security strategy is built from a thorough assessment to identify an enterprise’s assets, critical business processes, and the threats to those assets and processes. A comprehensive accounting of these things will enable an accurate risk assessment to determine the priority in which those risks need to be addressed.
From the Ground-up
Armed with the knowledge gained from a comprehensive assessment, enterprises can begin to craft a strategy for their organization that takes into account the whole and not just its disparate parts. A holistic approach provides the ability to visualize how the enterprise is implementing security from end to end.
A strategy formulated in this manner will capture potential risks and prioritize them by severity, impact to the organization, cost, opportunities for solution integration, and level of difficulty to implement. These decisions are complicated and involve serious consideration, but they could not even be considered without a full picture of an organization’s risk profile.
A holistic cyber security strategy contends that cyber security touches all facets of a business. Under this approach, business processes would generally need to be re-designed with cyber security considerations integrated at the foundational level. This means designing a cyber security strategy from the ground-up with the ability for integration into new business processes and scalability as opposed to deploying solutions that are to be grafted onto existing business processes.
An overarching, comprehensive cyber security strategy also allows for the design of platforms that consist of integrated solutions, instead of point solutions. This will provide an overview of cyber security requirements that will enable advanced, forward-thinking spending strategies.
The Forest Emerges
With the adoption of a holistic method, enterprises become secure by design and not by necessity. Enterprises move from a fear-based approach in cyber security and instead begin an approach that is risk-based. Decisions are no longer tactical and short sighted. They become strategic and insightful. Spending is no longer reactive. It becomes proactive and anticipatory.
With this new way of thinking, enterprises can begin to see the forest through the trees.
Background on writer: Mark Fuentes, Senior CyberOps Consultant, Horangi Cyber Security. Mark believes that the strongest edge over any adversary is information. To that end, he is an avid consumer of cyber security information that ranges from threat intelligence and zero-day exploits to the latest breakthroughs in computer science and technology. His experience of over a decade in cyber security has included work with BAE System, Verizon, The International Monetary Fund, and The U.S. Department of Homeland Security.